Towards Effective Third-Party Application Dialogs: Solutions for Improved Attention and Comprehension
Computer security dialogs communicate important information to users. One avenue where such dialogs are presented are third-party applications, which play an important role in enhancing a user's experience and are popular in online social networks and smartphones. The first category presented by these applications are the permission authorization dialogs that request access to user information. The second category are the terms and conditions dialogs that describe the applications' policies regarding user information.Research has demonstrated that users have a strong tendency to ignore security dialogs, resulting in uninformed decisions. Unlike physical warnings, whose design and use is regulated by law and based on years of research, computer security dialogs are often designed in an arbitrary manner. This research examines two human factors that cause users to ignore these dialogs. Habituation---a key factor behind users' inattention towards dialogs---is a form of learning in which an organism decreases or ceases to respond to a stimulus after repeated presentations. User mental models, the second factor, are an integral part of what drives their behavior. Based on their limited understanding, users form incorrect perceptions about how their information is accessed and used.This dissertation proposes solutions that address human factors in third-party application dialogs and conducts user experiments to evaluate them. It makes three contributions to improve third-party application dialogs regarding two information processing stages of the human in the loop framework: (1) attention switch and maintenance, and (2) comprehension. The first contribution proposes two new dialog designs to improve attention and resist habituation towards permission authorization dialogs presented by third-party applications on a popular online social network, Facebook. The first design investigates the use of animation. It uses a real-life analogy and leverages the end-user's personal information examples to communicate the potential information disclosure in the event of permission authorization. The second design uses eye-gaze data from the eye-tracker as a mechanism of ensuring that the user reads the requested permissions before authorizing access to sensitive information. The second contribution investigates advertisements as a potential environmental stimulus that can impede user attention towards the authorization dialog. A user experiment is conducted on the mockup of a popular gaming website to measure user attention in the presence and absence of advertisements comprising of four types of content, namely, food, shopping, politics, and sports.The third contribution focuses on improving comprehension of the terms and conditions dialog, specifically the dialog displayed by Touch ID-enabled iOS applications. First, the potential misconceptions regarding Touch ID-based authentication with third-party applications are investigated. Second, four dialog designs are proposed to improve comprehension of the Touch ID terms and conditions dialog, specifically the information related to discovered misconceptions of fingerprint data access, application account access by others, and the role of fingerprint in Touch ID-based sign-in.